tags 448372 + patch tags 447639 + patch thanks Hi, the attached patch for an NMU fixes CVE-2007-5623 and the incomplete patch for CVE-2007-5198. It will be also archived on: http://people.debian.org/~nion/nmu-diff/nagios-plugins-1.4.8-2.1_1.4.8-2.2.patch
As the patch for CVE-2007-5198 by Steffen was incomplete I will upload this as 0-day NMU to fix the incomplete patch and by doing this also fixing CVE-2007-5623. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u nagios-plugins-1.4.8/debian/changelog nagios-plugins-1.4.8/debian/changelog --- nagios-plugins-1.4.8/debian/changelog +++ nagios-plugins-1.4.8/debian/changelog @@ -1,3 +1,12 @@ +nagios-plugins (1.4.8-2.2) unstable; urgency=high + + * Non-maintainer upload by testing-security team. + * Fix remote DoS which can be triggered by a remote attacker + via crafted snmpget replies (CVE-2007-5623) (Closes: #448372). + * Modifying CVE-2007-5198 patch since it is incomplete (Closes: #447639). + + -- Nico Golde <[EMAIL PROTECTED]> Sun, 28 Oct 2007 16:15:54 +0100 + nagios-plugins (1.4.8-2.1) unstable; urgency=high * Non-maintainer upload by the testing-security team diff -u nagios-plugins-1.4.8/debian/patches/00list nagios-plugins-1.4.8/debian/patches/00list --- nagios-plugins-1.4.8/debian/patches/00list +++ nagios-plugins-1.4.8/debian/patches/00list @@ -11,0 +12 @@ +CVE-2007-5623.dpatch diff -u nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch --- nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch +++ nagios-plugins-1.4.8/debian/patches/CVE-2007-5198.dpatch @@ -5,8 +5,9 @@ ## DP: Fixes CVE-2007-5198 @DPATCH@ ---- check_http.c.orig 2007-10-06 07:53:29.000000000 +0000 -+++ nagios-plugins-1.4.8/plugins/check_http.c 2007-10-06 08:16:02.000000000 +0000 +diff -urNad nagios-plugins-1.4.8~/plugins/check_http.c nagios-plugins-1.4.8/plugins/check_http.c +--- nagios-plugins-1.4.8~/plugins/check_http.c 2007-03-06 23:45:57.000000000 +0100 ++++ nagios-plugins-1.4.8/plugins/check_http.c 2007-10-28 16:25:01.000000000 +0100 @@ -53,7 +53,8 @@ enum { MAX_IPV4_HOSTLENGTH = 255, @@ -56,6 +57,15 @@ char *url; addr = malloc (MAX_IPV4_HOSTLENGTH + 1); +@@ -1087,7 +1087,7 @@ + die (STATE_UNKNOWN, _("Could not allocate url\n")); + + while (pos) { +- sscanf (pos, "%[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i); ++ sscanf (pos, "%1[Ll]%*[Oo]%*[Cc]%*[Aa]%*[Tt]%*[Ii]%*[Oo]%*[Nn]:%n", xx, &i); + if (i == 0) { + pos += (size_t) strcspn (pos, "\r\n"); + pos += (size_t) strspn (pos, "\r\n"); @@ -1099,17 +1099,21 @@ } only in patch2: unchanged: --- nagios-plugins-1.4.8.orig/debian/patches/CVE-2007-5623.dpatch +++ nagios-plugins-1.4.8/debian/patches/CVE-2007-5623.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2007-5623.dpatch by Nico Golde <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + [EMAIL PROTECTED]@ +diff -urNad nagios-plugins-1.4.8~/plugins/check_snmp.c nagios-plugins-1.4.8/plugins/check_snmp.c +--- nagios-plugins-1.4.8~/plugins/check_snmp.c 2007-02-02 10:10:22.000000000 +0100 ++++ nagios-plugins-1.4.8/plugins/check_snmp.c 2007-10-28 16:14:48.000000000 +0100 +@@ -217,12 +217,16 @@ + + ptr = output; + +- strcat(perfstr, "| "); ++ strncat(perfstr, "| ", sizeof(perfstr)-strlen(perfstr)-1); + while (ptr) { + char *foo; ++ unsigned int copylen; + + foo = strstr (ptr, delimiter); +- strncat(perfstr, ptr, foo-ptr); ++ copylen = foo-ptr; ++ if (copylen > sizeof(perfstr)-strlen(perfstr)-1) ++ copylen = sizeof(perfstr)-strlen(perfstr)-1; ++ strncat(perfstr, ptr, copylen); + ptr = foo; + + if (ptr == NULL) +@@ -351,11 +355,11 @@ + + i++; + +- strcat(perfstr, "="); +- strcat(perfstr, show); ++ strncat(perfstr, "=", sizeof(perfstr)-strlen(perfstr)-1); ++ strncat(perfstr, show, sizeof(perfstr)-strlen(perfstr)-1); + if (type) +- strcat(perfstr, type); +- strcat(perfstr, " "); ++ strncat(perfstr, type, sizeof(perfstr)-strlen(perfstr)-1); ++ strncat(perfstr, " ", sizeof(perfstr)-strlen(perfstr)-1); + + } /* end while (ptr) */ +
pgpsKLipmXY17.pgp
Description: PGP signature